Sep 1, 2020 11:37 AM
The privacy shield is no longer valid, meaning that we can no longer store EU citizens data in the US. We're looking for a proper legal base to continue using Hubspot. Any info is appreciated.
Sep 2, 2020 4:19 AM
Thanks for reaching out.
I want to tag in some thought leaders to see if they can assist with this.
Sep 3, 2020 3:45 AM
Hi @rolffokkens ,
Thanks for sharing.
Just to get a quick caveat in: I'm not a lawyer, don't work for HubSpot etc.. etc... 🙂
However, as alluded to in that article, I believe HS relies on SCCs rather than the Privacy Shield for this case.
The pertinent document seems to be this one, which was just updated a couple of days ago in light of this ruling: https://legal.hubspot.com/dpa
Privacy Shield: Although HubSpot, Inc. does not rely on the EU-US Privacy Shield as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as HubSpot, Inc. is self-certified to the Privacy Shield HubSpot Inc will process European Data in compliance with the Privacy Shield Principles and let you know if it is unable to comply with this requirement.
There's a lot more in the whole document around the SCCs and data transfer and compliance in general.
Hope that helps!
Did I answer your question? If your question is answered, please mark it as a solution. If you need more help, hit that big orange 'Reply' button!
Sep 4, 2020 3:13 PM
@mike-ward is right, I understand from a memo our data privacy team shared that customers can continue to use HubSpot without disruption because HubSpot's Customer Data Processing Agreement (DPA) includes the Standard Contractual Clauses (SCCs) as the mechanism to transfer data from the EU to the US. You do not need to take any action for the SCC's to apply because they are already incorporated in the DPA as referenced by our Customer Terms of Service (TOS). More details available here.
On a related note, I'm interested in hearing more about how HubSpot could better support privacy needs and make things easier for you. Please message me if you're willing to talk about it with me - I have some ideas, and I'd like to hear your thoughts!
Sep 9, 2020 11:10 AM
The privacy shield allowed EU citizen data to be stored in the US, without this (EU nog longer conciders privacy shield valid) EU citizen data must be stored in EU. Partly for this reason all major Cloud providers (AWS, Azure, Gcloud) have datacenters in the EU.
Assuming Hubspot is also using Cloud, I'd suggest to use EU based cloud services for EU customers. Make this known, and certify this. Then our (EU based company) problem is solved I think.
From a technical perspecive I have no doubt that NSA will still be able to access data in EU based cloud services for any US based cloud privider (AWS, Azure, Gcloud), but apparently that is not debated in the EU.
Sep 20, 2020 10:46 AM
Sep 17, 2020 8:57 AM
Thank you for confirming that HubSpot's Customer Data Processing Agreement (DPA) includes the Standard Contractual Clauses (SCCs) as the mechanism to transfer data from the EU to the US and that the Hubspot customers don't need to take any action for the SCC's to apply because they are already incorporated in the DPA as referenced by HS Customer Terms of Service (TOS).
My question is: Was this also confirmed by any EU lawyers? It would be very useful for your customers to have this reassurance. Can you tell me whom I should contact to clarify this point?
Sep 20, 2020 10:56 AM
Sep 21, 2020 3:37 AM - edited Sep 21, 2020 3:56 AM
It would be interesting to hear whether there are any plans for a European sandbox environment where no data leaves EU and is only handled by HubSpot staff in the EU. I do not know if you have to set up a European company that is not owned by the American company to get away from the US Cloud Act. With this setup you should be fully compliant.
Sep 21, 2020 3:35 PM
What an interesting conversation we have going here!
@Mihaela2018 I don't know which lawyers were involved on HubSpot's side, and definitely recommend you consult with your own legal counsel to make sure your particular setup follows best practices. I don't think any single lawyer, regardless of where they're located, can make a blanket statement that would suit everyone's needs.
It seems like there's some misunderstanding in this thread about the CLOUD Act - read more about that here. Disclaimer: I'm not a lawyer, I've just been reading about this since you all mentioned it 😁 but from what I understand, the CLOUD Act doesn't make it so that the US government can just get whatever data they want. It seems to be more about facilitating data sharing between countries in the pursuit of serious criminal cases. It doesn't even require any company to share data that is requested, it just makes it easier for countries to process the request. Interestingly, it seems that the US receives many more requests for data than it sends out to other countries. Probably because there are so many communications service providers in the US.
Sep 21, 2020 4:03 PM
Max Schrems, who won this judgment, gave very clear and detailed instructions that show what companies in Europe now have to do (including sample questionnaires to US companies based in Europe).
Read more here: https://noyb.eu/en/next-steps-eu-companies-faqs
Sep 21, 2020 4:57 PM
That looks like a great resource, thanks for sharing! The FISA factor seems like a key question, and some big providers are listed there as being "under FISA". So I'm curious, are there any go-to hosting providers that are generally seen as go-to sources for companies that need to comply with GDPR?
Sep 21, 2020 5:04 PM - edited Sep 21, 2020 5:04 PM
Look - the things are simple. SCC cannot be granted as it is clear that the US government has access to all US company servers through various laws. "Privacy Shield" is history and the SCC are therefore not possible. No US company can sign SCC with a "clear conscience" - because it is clear that what they are signing cannot comply with the law - namely the data sovereignty of users within Europe.
Sep 22, 2020 3:34 AM
Thanks for good discussion. Unfortunately, it feels like the future will involve a lot of work with legal discussions and interpretations. If you have to create a European company, you can always apply the IKEA structure where the European companies buy licenses and the right to use HubSpot as a trademark from the American company 🙂